Add a credit types field (#110)

As discussed in #85, we'd like to propose these changes to the OSV schema to add credit types/roles that correspond to those defined by the [MITRE CVE schema](https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json). Would appreciate any feedback or proposed changes! --------- Signed-off-by: Kailani Chu <hawaiigal@github.com>
ossf · Feb 8, 2023 · d3bc675 · d3bc675
1 parent 0a0b7a7
commit d3bc675
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 2 deletions.
diff --git a/docs/schema.md b/docs/schema.md
@@ -100,7 +100,8 @@ A JSON Schema for validation is also available
 	} ],
 	"credits": [ {
 		"name": string,
-		"contact": [ string ]
+		"contact": [ string ],
+		"type": [ string ]
 	} ],
 	"database_specific": { see description }
 }
@@ -727,6 +728,7 @@ The known reference `type` values are:
 	"credits": [ {
 		"name": string,
 		"contact": [ string ],
+		"type": [ string ],
 	} ]
 }
 ```
@@ -752,9 +754,28 @@ is required for each `credits` entry.
 Each `credits[].contact[]` entry should be a valid, fully qualified, plain-text URL
 at which the credited can be reached. Providing contacts is optional.
 
+### credits[].type[] field
+
+The optional `credits[].type[]` field should specify the type or role of the individual or entity
+being credited.  It must be one of the following defined credit types:
+
+- `FINDER`: identified the vulnerability.
+- `REPORTER`: notified the vendor of the vulnerability to a CNA.
+- `ANALYST`: validated the vulnerability to ensure accuracy or severity.
+- `COORDINATOR`: facilitated the coordinated response process.
+- `REMEDIATION_DEVELOPER`: prepared a code change or other remediation plans.
+- `REMEDIATION_REVIEWER`: reviewed vulnerability remediation plans or code changes for effectiveness and completeness.
+- `REMEDIATION_VERIFIER`: tested and verified the vulnerability or its remediation.
+- `TOOL`: names of tools used in vulnerability discovery or identification.
+- `SPONSOR`: supported the vulnerability identification or remediation activities.
+- `OTHER`: any other type or role that does not fall under the categories described above.
+
+These values and their definitions correspond directly to the credit types defined in the
+[MITRE CVE specification](https://cveproject.github.io/cve-schema/schema/v5.0/docs/#collapseDescription_oneOf_i0_containers_cna_credits_items_type).
+
 #### Examples
 
-Including a URL and an email address in `credits[].contact[]`:
+Including a URL and an email address in `credits[].contact[]` and a credit type:
 
 ```json
 {
@@ -764,6 +785,7 @@ Including a URL and an email address in `credits[].contact[]`:
 			"https://twitter.com/JaninaKowalska01",
 			"mailto:nina@kowalska-family.net"
 		],
+		"type": "REMEDIATION_DEVELOPER",
 	} ]
 }
 ```

diff --git a/validation/schema.json b/validation/schema.json
@@ -286,6 +286,21 @@
             "items": {
               "type": "string"
             }
+          },
+          "type": {
+            "type": "string",
+            "enum": [
+              "FINDER",
+              "REPORTER",
+              "ANALYST",
+              "COORDINATOR",
+              "REMEDIATION_DEVELOPER",
+              "REMEDIATION_REVIEWER",
+              "REMEDIATION_VERIFIER",
+              "TOOL",
+              "SPONSOR",
+              "OTHER"
+          ]
           }
         },
         "required": [